diff --git a/config/sample-config.yaml b/config/sample-config.yaml index 4e4e7d4..c7ff22d 100644 --- a/config/sample-config.yaml +++ b/config/sample-config.yaml @@ -1,3 +1,6 @@ +# With this sample config the distinction between PG groups and users is +# done by the LOGIN/NOLOGIN attribute. Any non-superuser account +# is considered as LDAP-synchronized. # Connection parameters to LDAP server # see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new @@ -13,6 +16,7 @@ ldap_connection: ldap_users: base: OU=company,OU=company,DC=company,DC=de # LDAP filter (according to RFC 2254) + # defines to users in LDAP to be synchronized filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*)) # this attribute is used as PG role name name_attribute: sAMAccountName @@ -20,7 +24,7 @@ ldap_users: # Search parameters for LDAP groups which should be synchronized ldap_groups: base: OU=company,OU=company,DC=company,DC=de - filter: (|(cn=cc.group1)(cn=group2)(cn=group3)) + filter: (|(cn=group1)(cn=group2)(cn=group3)) # this attribute is used as PG role name name_attribute: cn # this attribute must reference to all member DN's of the given group @@ -44,7 +48,7 @@ pg_users: pg_groups: # Filter for identifying LDAP generated groups in the database. # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles" - filter: NOT rolcanlogin + filter: NOT rolcanlogin AND NOT rolsuper # Options for CREATE RULE statements create_options: NOLOGIN grant_options: diff --git a/config/sample-config2.yaml b/config/sample-config2.yaml new file mode 100644 index 0000000..b3001a1 --- /dev/null +++ b/config/sample-config2.yaml @@ -0,0 +1,54 @@ +# With this sample config the distinction between LDAP-synchronized +# groups/users from is done by the membership to ldap_user and +# ldap_group. These two roles has to be defined manally. + +# Connection parameters to LDAP server +# see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new +ldap_connection: + host: ldapserver + port: 389 + auth: + method: :simple + username: CN=username,OU=!Serviceaccounts,OU=company,DC=company,DC=de + password: secret + +# Search parameters for LDAP users which should be synchronized +ldap_users: + base: OU=company,DC=company,DC=prod + # LDAP filter (according to RFC 2254) + # defines to users in LDAP to be synchronized + filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*)(sAMAccountName=*)) + # this attribute is used as PG role name + name_attribute: sAMAccountName + +# Search parameters for LDAP groups which should be synchronized +ldap_groups: + base: OU=company,DC=company,DC=prod + filter: (cn=company.*) + # this attribute is used as PG role name + name_attribute: cn + # this attribute must reference to all member DN's of the given group + member_attribute: member + +# Connection parameters to PostgreSQL server +# see also: http://rubydoc.info/gems/pg/0.11.0/PGconn#initialize-instance_method +pg_connection: + host: + dbname: postgres + user: + password: + +pg_users: + # Filter for identifying LDAP generated users in the database. + # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles" + filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_users') + # Options for CREATE RULE statements + create_options: LOGIN IN ROLE ldap_users + +pg_groups: + # Filter for identifying LDAP generated groups in the database. + # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles" + filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_groups') + # Options for CREATE RULE statements + create_options: NOLOGIN IN ROLE ldap_groups + grant_options: